受到物聯網等網路新科技的推波助瀾，DDoS 攻擊流量不斷創新高。 在網際網路中，針對銀行和政府機構的重要服務和網站的網路攻擊通常是 DDoS 攻擊，於是一個好的網路測量方法是迫切需要地。
隨著軟體定義網路的蓬勃發展，現今已經有許多方法被提出。 其中，有些方法使用機器學習等技術，但這些方法通常需要大量內存，並且在偵測過程中交換機經常需要將大量資料傳送至控制器，由此造成的傳輸成本會使已經遭受到攻擊的網路環境更加惡劣。 因此，我們使用以草圖結構為基底提出一個網路測量方法以解決以上問題。 過去有研究指出，DDoS 攻擊流量的特性包含收發封包數的不對稱性以及高流量，而我們的方法的目標就是在交換機上收集有上述特性的 IP 位址。
我們藉由統計六個著名資料集的 IP 位址收發封包數以證實 DDoS 流量之兩特性，並根據不同效能指標找出適合我們方法的最佳閾值。 實驗結果顯示，我們的方法比其他方法更能保留有上述特性的 IP 位址，並在偵測 DDoS 攻擊者和受害者的IP 位址時有最佳的表現。

Driven by new network technologies such as Internet of Things, the overall attack traffic hit a new high. On the Internet, well-known cyberattacks against vital services and websites provided by banks and government agencies are often DDoS attacks. Therefore, a good network measurement method is urgently needed.
With the development of software-defined networking, many methods have been proposed. Some of these methods use techniques such as machine learning. But these methods usually require a lot of memory. Also, the switch often needs to transmit a large amount of data to the controller during the detection process. The resulting transmission costs can make an already attacked network environment even more hostile. Thus, we propose a network measurement method based on the sketch structure to solve the above problems. In the past, studies have pointed out that the characteristics of DDoS attack traffic include the asymmetric number of packets sent and received and heavy traffic. The goal of our approach is to collect IP addresses on switches with the above characteristics.
We demonstrate two characteristics of DDoS traffic by counting the number of packets sent and received from IP addresses in six well-known datasets. And according to different metrics, we find the best threshold for our method. Experimental results show that our method preserves IP addresses with the above properties better than other methods. Moreover, our scheme has the best performance in detecting the IP addresses of DDoS attackers and victims.

[1] F. Hussain, S. G. Abbas, M. Husnain, U. U. Fayyaz, F. Shahzad, and G. A. Shah,“Iot dos and ddos attack detection using resnet,” in 2020 IEEE 23rd International Multitopic Conference (INMIC), pp. 1–6, 2020.
[2] N. N. Dao, D. N. Vu, Y. Lee, M. Park, and S. Cho, “Maec-x: Ddos prevention leveraging multi-access edge computing,” in 2018 International Conference on Information Networking (ICOIN), pp. 245–248, 2018.
[3] Z. Liu, L. Li, Y. Ju, Y. Liu, Y. Sun, K. Zheng, and X. Huang, “The efficiency comparison between ddos and dos attack,” in 2018 9th International Conference on Information Technology in Medicine and Education (ITME), pp. 1050–1054,2018.
[4] B. Zhang, T. Zhang, and Z. Yu, “Ddos detection and prevention based on artificial intelligence techniques,” in 2017 3rd IEEE International Conference on Computer and Communications (ICCC), pp. 1276–1280, 2017.
[5] N. Hoque, D. K. Bhattacharyya, and J. K. Kalita, “Botnet in ddos attacks:Trends and challenges,” IEEE Communications Surveys & Tutorials, vol. 17, no. 4,pp. 2242–2270, 2015.
[6] B. Nagpal, P. Sharma, N. Chauhan, and A. Panesar, “Ddos tools: Classification,analysis and comparison,” in 2015 2nd International Conference on Computing for Sustainable Global Development (INDIACom), pp. 342–346, 2015.
[7] Pierluigi Paganini, “Taiwan government websites were temporarily forced offline by cyber attacks during the visit to taipei of us house speaker nancypelosi.” https://securityaffairs.co/wordpress/133997/breaking-news/
taiwan-hit-cyberattacks.html.
[8] Jonathan Greig, “Taiwan defense ministry says ddos incident briefly took down network after pelosi visit.” https://therecord.media/.
[9] Y. Xuand Y. Liu, “Ddos attack detection under sdn context,” in IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications, pp. 1–9, 2016.
[10] X. Yang, B. Han, Z. Sun, and J. Huang, “Sdn-based ddos attack detection with cross-plane collaboration and lightweight flow monitoring,” in GLOBECOM 2017- 2017 IEEE Global Communications Conference, pp. 1–6, 2017.
[11] R. Braga, E. Mota, and A. Passito, “Lightweight ddos flooding attack detection using nox/openflow,” in IEEE Local Computer Network Conference, pp. 408–415,2010.
[12] V. Kansal and M. Dave, “Proactive ddos attack detection and isolation,” in 2017 International Conference on Computer, Communications and Electronics (Comptelix), pp. 334–338, 2017.
[13] Y. Xu and Y. Liu, “Ddos attack detection under sdn context,” in IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications, pp. 1–9, 2016.
[14] H. S. Abdulkarem and A. Dawod, “Ddos attack detection and mitigation at sdn data plane layer,” in 2020 2nd Global Power, Energy and Communication Conference (GPECOM), pp. 322–326, 2020.
[15] Q. Yan, F. R. Yu, Q. Gong, and J. Li, “Software-defined networking (sdn) and distributed denial of service (ddos) attacks in cloud computing environments: A survey, some research issues, and challenges,” IEEE Communications Surveys & Tutorials, vol. 18, no. 1, pp. 602–622, 2016.
[16] H. Kim and N. Feamster, “Improving network management with software defined networking,” IEEE Communications Magazine, vol. 51, no. 2, pp. 114–119, 2013.
[17] B. Mladenov, “Studying the ddos attack effect over sdn controller southbound channel,” in 2019 X National Conference with International Participation (ELECTRONICA), pp. 1–4, 2019.
[18] C. Douligeris and A. Mitrokotsa, “Ddos attacks and defense mechanisms: classification and state-of-the-art,” Computer Networks, vol. 44, no. 5, pp. 643–666,2004.
[19] R. Neres Carvalho, J. Luiz Bordim, and E. Adilio Pelinson Alchieri, “Entropybased dos attack identification in sdn,” in 2019 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW), pp. 627–634, 2019.
[20] J. Zhang, Z. Qin, L. Ou, P. Jiang, J. Liu, and A. X. Liu, “An advanced entropybased ddos detection scheme,” in 2010 International Conference on Information,Networking and Automation (ICINA), vol. 2, pp. V2–67–V2–71, 2010.
[21] N. Ahuja and G. Singal, “Ddos attack detection & prevention in sdn using openflow statistics,” in 2019 IEEE 9th International Conference on Advanced Computing (IACC), pp. 147–152, 2019.
[22] S. Priya, M. Sivaram, D. Yuvaraj, and A. Jayanthiladevi, “Machine learning based ddos detection,” in 2020 International Conference on Emerging Smart Computing and Informatics (ESCI), pp. 234–237, 2020.
[23] K. Sudar, M. Beulah, P. Deepalakshmi, P. Nagaraj, and P. Chinnasamy, “Detection of distributed denial of service attacks in sdn using machine learning techniques,” in 2021 International Conference on Computer Communication and Informatics (ICCCI), pp. 1–5, 2021.
[24] M. M. Oo, S. Kamolphiwong, and T. Kamolphiwong, “The design of sdn based detection for distributed denial of service (ddos) attack,” in 2017 21st International Computer Science and Engineering Conference (ICSEC), pp. 1–5, 2017.
[25] C. Wang, T. T. N. Miu, X. Luo, and J. Wang, “Skyshield: A sketch-based defense system against application layer ddos attacks,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 3, pp. 559–573, 2018.
[26] D. Ding, M. Savi, F. Pederzolli, M. Campanella, and D. Siracusa, “In-network volumetric ddos victim identification using programmable commodity switches,”IEEE Transactions on Network and Service Management, vol. 18, no. 2, pp. 1191–1202, 2021.
[27] X. Jing, J. Zhao, Q. Zheng, Z. Yan, and W. Pedrycz, “A reversible sketch-based method for detecting and mitigating amplification attacks,” Journal of Network and Computer Applications, vol. 142, pp. 15–24, 2019.
[28] Q. Huang and P. P. C. Lee, “Ld-sketch: A distributed sketching design for accurate and scalable anomaly detection in network data streams,” in IEEE INFOCOM 2014 - IEEE Conference on Computer Communications, pp. 1420–1428, 2014.
[29] Z. Zhou, D. Zhang, and X. Hong, “Rl-sketch: Scaling reinforcement learning for adaptive and automate anomaly detection in network data streams,” in 2019 IEEE 44th Conference on Local Computer Networks (LCN), pp. 340–347, 2019.
[30] H. Liu, Y. Sun, and M. S. Kim, “Fine-grained ddos detection scheme based on bidirectional count sketch,” in 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), pp. 1–6, 2011.
[31] J. Tang, Y. Cheng, Y. Hao, and W. Song, “Sip flooding attack detection with a multi-dimensional sketch design,” IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 6, pp. 582–595, 2014.
[32] X. Cheng, Z. Wang, S. Zhang, J. Li, J. Yang, and X. Liu, “Slider: Towards precise, robust and updatable sketch-based ddos flooding attack detection,” in 2021 IEEE Global Communications Conference (GLOBECOM), pp. 1–6, 2021.
[33] Wang, Chingyuan, “A study on traffic asymmetry for detecting ddos attack in p4-based sdn.” ttps://hdl.handle.net/11296/va6m24.
[34] T. Yang, J. Jiang, P. Liu, Q. Huang, J. Gong, Y. Zhou, R. Miao, X. Li, and S. Uhlig, “Elastic sketch: Adaptive and fast network-wide measurements,” in Proceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication, SIGCOMM ’18, (New York, NY, USA), p. 561–575, Association for Computing Machinery, 2018.
[35] I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “Developing realistic distributed denial of service (ddos) attack dataset and taxonomy,” in 2019 International Carnahan Conference on Security Technology (ICCST), pp. 1–8,2019.
[36] S. Garc´ıa, M. Grill, J. Stiborek, and A. Zunino, “An empirical comparison of botnet detection methods,” Computers & Security, vol. 45, pp. 100–123, 2014.
[37] N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull, “Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset,” Future Generation Computer Systems, vol. 100, pp. 779–796, 2019.
[38] N. Koroniotis, N. Moustafa, E. Sitnikova, and J. Slay, “Towards developing network forensic mechanism for botnet activities in the iot based on machine learning techniques,” in Mobile Networks and Management (J. Hu, I. Khalil, Z. Tari, and S. Wen, eds.), (Cham), pp. 30–44, Springer International Publishing, 2018.
[39] N. Koroniotis, N. Moustafa, and E. Sitnikova, “A new network forensic framework based on deep learning for internet of things networks: A particle deep framework,”Future Generation Computer Systems, vol. 110, pp. 91–106, 2020.
[40] N. Koroniotis and N. Moustafa, “Enhancing network forensics with particle swarm and deep learning: The particle deep framework,” CoRR, vol. abs/2005.00722,2020.
[41] N. Koroniotis, N. Moustafa, F. Schiliro, P. Gauravaram, and H. Janicke, “A holistic review of cybersecurity and reliability perspectives in smart airports,” IEEE Access, vol. 8, pp. 209802–209834, 2020.
[42] N. Koroniotis, “Designing an effective network forensic framework for the investigation of botnets in the internet of things,” 2020.